Last week I detailed the setup involved with SSPR and how easy it is to implement. SSPR is a tremendous product and could potentially reduce the number of help desk tickets regarding forgotten passwords. While the setup is normally straight forward, I have experienced one specific issue that took me a few days to figure out(once I figured it out, I felt silly it took me so long to figure it out!!!). When installing AD Connect on a domain joined server, an account that begins with MSOL is created –
In my previous blog, we enabled Password Synchronization and Password Writeback in AD connect. The MSOL account that was created during the installation of AD connect must have full permissions on at least the OU’s that contains users.
Before I gave the MSOL account full permission, the error received was a SSPR_29 issue directing the users to contact their system administrators. Without making this change, the MSOL account would not have full permission to reset the accounts. Once the changes were made, users were able to reset their passwords without issue!!
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.